Refactoring code sample for connecting to CloudSQL databases using Cloud SQL Connector for Java #8794
Comments
minherz
added
type: feature request
product-auto-label
bot
added
the
samples
|
@enocom can you please triage this? Does the use of Cloud SQL Connector for Java is different for different DB instance types hosted by CloudSQL? Do we need the connector when we run on GCP (e.g. on Cloud Run) in the first place or the connector is useful when running workloads out of GCP? Thank you |
Would you elaborate on that point? What makes these samples have poor security?
There are minor differences between MySQL and Postgres, and SQL Server. If we scope the samples down to just creating a connection (or DataSource more specifically), then we could consolidate all three into one.
The Connector is useful across environments. In general, the most important part of these samples are the places we have region tags: 1, 2. In my opinion, if samples are about demonstrating a single connection, then we don't need all the application-related code. |
|
Thank you for the explanation. The code sample guidelines require one code snippet per file. Depending on documentation and implementation we can check if this sample can be consolidating into a single file for all three database types. We can include consolidation of the region tags into this issue as a stand-alone topic. Let me know if you will need assistance in providing code samples in other languages because I see these region tags referenced only Java samples for now. Regarding your question:
The readme file (the link is for MySql example but it is true for all three) instructs to use SA key and DB credentials explicitly. This practice is long time deprecated in favor of more secure approach that does not require explicitly defining credentials in the environment. Well, you will need some form of authentication if you instruct to run the code sample on prem but this code sample is expected to run on GCP (specifically on Cloud Run). Same way, DB credentials can be loaded from secret manager instead of being used directly. If they do, we should emphasis both in the documentation and in code that this is not secure way and reference to the recommended way. |
|
Ah I see. Yes, the README is a mess. Shall we just delete them? |
This might be an issue on some our other language samples as well. We should avoid mentioning downloading SA keys. I don't think removing the READMEs is the optimal solution though. I can fold README updates into my samples work. |
and others
The repo hosts three code samples that demonstrate the use of the Cloud SQL Connector for Java to connect to the managed versions of MySQL, Postgres and SQL Server databases (CloudSQL).
These three samples are implemented as three-tier applications with the frontend running in the browser, backend running on CloudRun and using CloudSQL database as a datalayer.
In its current format these code samples are hard to maintain. They also go out of the line compared to other code samples because of their complexity, lack of region tag association and loosely trackable exposure via code samples browser only.
Additionally these code samples show connectivity practices that are discouraged due their poor security.
The following modifications are recommended to ALL code samples:
These recommendations can be implemented in the scope of this issue or designated issues can be created to address each of them separtely.
The text was updated successfully, but these errors were encountered: